New Cyber Threats Juice Pay for Security Chiefs

The growing threat of data breaches, highlighted by credit card data thefts at Target and Neiman Marcus this holiday season, is creating demand for a new brand of cyber security officer. Even though the title of chief information security officer is itself relatively new, the skills and experiences required of CISOs are evolving along with the nature of the threats companies are facing.

CISOs are also increasingly in demand during board discussions and in some cases are reporting to corporate finance or risk officers rather than to IT, say executive recruiters whose job it is to find and place such people. With this growing demand, salaries for CISOs have ballooned in the past few years.

CISOs were once promoted from the ranks of server rooms, and were typically experts in managing computer networks targeted by hackers, who were more often than not joyriders on the Information Superhighway. As attackers have become more organized, and often funded by political or criminal organizations, the profile of the CISO has changed as well, according to recruiters in the field.

“Five years ago the CISO was almost unheard of,” says Chris Patrick, the global CIO practice group lead at the executive search and talent management firm Egon Zehnder International. Where the title did exist, it was usually held by someone versed deeply in infrastructure. “Now it’s been elevated as a strategically important element within IT.” Egon Zehnder is developing a CISO practice to meet the growing demand for executive-level talent. “That’s another indicator that there’s an opportunity and there’s a need there,” he said.

Salaries for CISOs range according to industry, with compensation in financial services typically outstripping pay in retail or manufacturing. Shawn Banerji, managing director of the information officers practice at Russell Reynolds Associates, says CISO salaries have grown between 50% and 100% over the past couple of years. Given the heightened demand, CISOs can command salaries ranging from $350,000 to $1 million per year, he said.

“Salaries have absolutely gone up and are going to continue to go up,” Patrick concurred.

Banerji notes that “the job description has changed pretty dramatically. Five years ago most people in the role were essentially hard core network technologies people. The CISO of today needs to be much more of a business leader who marries significant technology credentials with equally strong strategy and commercial skills,” he said.

McNamara of Korn/Ferry says while the role “used to report into IT, and in most cases still does,” more and more CISOs are being asked to report to chief counsels or chief risk officers “for compliance and regulatory reasons.”

Patrick says companies are beginning to think twice about having “IT auditing its own security.” So while most CISOs still report to CIOs or other IT executives, “that’s going to change,” he said.

Corporations are also adjusting the types of defenses they erect to protect their electronic assets. “What you are starting to see is the introduction of new concepts that will eventually change security, not unlike the way the cloud and mobility have changed IT over the last 10 years,” says Justin Somaini, the executive managing security and privacy at Box, the cloud-based data storage company. Somaini was previously CISO at Yahoo and Symantec.

Mike Wilson, CISO of McKesson, said the CISO role has evolved from one of gatekeeper to that of portfolio manager, who assesses risk and evaluates technologies. He said employees’ growing use of mobile devices and cloud applications over the last five years increases pressure to protect the company’s intellectual capital.

Wilson said he sees threat assessment technologies evolving toward “anomalous detection,” such as pinpointing the origin of unusually high network traffic. Those detection technologies will become increasingly powerful as Big Data evolves.